Linkable Message Tagging Solving the Key Distribution Problem of Signature Schemes Felix Günther

Similar documents
Certificateless Public Key Cryptography

On the Security of a Certificateless Public-Key Encryption

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Public-key Cryptography: Theory and Practice

Digital Signatures. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 54

An Efficient Certificateless Proxy Re-Encryption Scheme without Pairing

CSC 5930/9010 Modern Cryptography: Digital Signatures

Cryptography: More Primitives

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

An IBE Scheme to Exchange Authenticated Secret Keys

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

STRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS

Lecture 10, Zero Knowledge Proofs, Secure Computation

Verifiably Encrypted Signature Scheme with Threshold Adjudication

Timed-Release Certificateless Encryption

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Notes for Lecture 14

TRNG Based Key Generation for Certificateless Signcryption

Symmetric Encryption 2: Integrity

Public Key Cryptography

A Short Certificate-based Signature Scheme with Provable Security

Introduction to Cryptography Lecture 10

Lecture 2 Applied Cryptography (Part 2)

Direct Anonymous Attestation

Cryptanalysis on Two Certificateless Signature Schemes

White-box Cryptomania

Digital Signature. Raj Jain

Anonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

REMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM

Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila

Investigating the OpenPGP Web of Trust

Key Escrow free Identity-based Cryptosystem

Structure-Preserving Certificateless Encryption and Its Application

Cryptography and Network Security. Sixth Edition by William Stallings

Scalable privacy-enhanced traffic monitoring in vehicular ad hoc networks

Compact and Anonymous Role-Based Authorization Chain

CS Computer Networks 1: Authentication

Multi-Theorem Preprocessing NIZKs from Lattices

Oblivious Signature-Based Envelope

Cryptography V: Digital Signatures

Cryptography V: Digital Signatures

Securing Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

On the security of a certificateless signature scheme in the standard model

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Diffie-Hellman. Part 1 Cryptography 136

Remove Key Escrow from The Identity-Based Encryption System

Encryption. INST 346, Section 0201 April 3, 2018

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Security Analysis of Batch Verification on Identity-based Signature Schemes

1. Digital Signatures 2. ElGamal Digital Signature Scheme 3. Schnorr Digital Signature Scheme 4. Digital Signature Standard (DSS)

COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY

Public Key Cryptography, OpenPGP, and Enigmail. 31/5/ Geek Girls Carrffots GVA

An Exploration of Group and Ring Signatures

Spatial Encryption. March 17, Adam Barth, Dan Boneh, Mike Hamburg

A concrete certificateless signature scheme without pairings

Identity-Based Decryption

Crypto for Cloud and Blockchain

Part VI. Public-key cryptography

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Certificateless Onion Routing

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

Digital signatures: How it s done in PDF

Pretty Good Privacy (PGP)

Secure Multiparty Computation

Unit 8 Review. Secure your network! CS144, Stanford University

Delegatability of an Identity Based Strong Designated Verifier Signature Scheme

Malicious KGC Attacks in Certificateless Cryptography

CSE 565 Computer Security Fall 2018

Public Key Algorithms

Introduction to Security Reduction

A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol. Felix Günther. Technische Universität Darmstadt, Germany

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

Deniable Unique Group Authentication CS380S Project Report

Secure digital certificates with a blockchain protocol

Lecture Notes 14 : Public-Key Infrastructure

Randomness Extractors. Secure Communication in Practice. Lecture 17

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Notes for Lecture 21. From One-Time Signatures to Fully Secure Signatures

CT30A8800 Secured communications

A Thesis for the Degree of Master of Science. Provably Secure Threshold Blind Signature Scheme Using Pairings

An Enhanced Certificateless Authenticated Key Agreement Protocol

Design of Secure VoIP using ID-Based Cryptosystem

Cryptographic Hash Functions

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Marc Fischlin, Giorgia Azzurra Marson, and Kenneth G.

Entity Recognition for Sensor Network Motes (Extended Abstract)

Introduction to Public-Key Cryptography

Cryptographically Secure Bloom-Filters

Introduction to Modern Cryptography. Benny Chor

Mike Reiter. University of North Carolina at Chapel Hill. Proliferation of mobile devices. Proliferation of security-relevant apps using these

More crypto and security

Public-Key Cryptography Techniques Evaluation

Outline Key Management CS 239 Computer Security February 9, 2004

Transcription:

Linkable Message Tagging Solving the Key Distribution Problem of Signature Schemes Felix Günther Technische Universität Darmstadt Germany Bertram Poettering Ruhr-Universität Bochum Germany June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 1

Sending Letters back in ancient times... Dear Bob, I wanted to......... Alice Dear Alice, thank you for......... Bob authentication through signatures June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 2 drawings by Giorgia Azzurra Marson

Sending Letters today... Dear Bob, sk A sk B Dear Alice, I wanted to......... Alice thank you for......... Bob σ A Sign(sk A,... ) σ B Sign(sk B,... ) authentication through digital signatures June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 3

Sending Letters today... Dear Bob, I wanted to......... Alice But: Alice and Bob might not even know each other prior to communicating sk A, vk B sk B, vk A Dear Alice, thank you for......... Bob sk A, vk B sk B, vk A σ A Sign(sk A,... ) σ B Sign(sk B,... ) Verify(vk B,..., σ B ) Verify(vk A,..., σ A ) How to authentically distribute keys? June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 3

Approaches So Far (Selection) (Hierarchical) PKIs (X.509) certificates issued by CAs bind keys to identities HTTPS-secured web, S/MIME email encryption/signing large number of (trusted) root and intermediate CAs unclear trust relations / CA compromises (DigiNotar, TURKTRUST,... ) revocation seems difficult (Social) PKIs web of trust, personally signing keys OpenPGP Alice Bob Charlie Dave scalability, time-consuming/error-prone authentication ( key signing parties ) privacy issues (reveals social relationships) June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 4

Approaches So Far (More Academic Selection) Identity-Based Signatures (Shamir 1984) public key = identitiy of a user (e.g., vk A = "Alice") inherent key escrow problem (master key which can decrypt everything) Certificateless Signatures (Al-Riyami, Paterson 2003) hybrid between PKI and identity-based user obtains partial private key to complete on her own still requires some trust in (and existence of) central party Message Recognition (Weimerskirch, Westhoff 2003) method to recognize each others messages as authentic requires prior exchange of small amount of authentic data June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 5

A Novel Approach: History-Based Message Authentication vk B vk A Goals detect forged messages given a single authentically delivered message (unknown which one it is) without explicit exchange of verification keys New tool: Linkable Message Tagging June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 6

Linkable Message Tagging Syntax tk A τ 1 Tag(tk A, m 1 ) τ 2 Tag(tk A, m 2 ) m 1, τ 1 m 2, τ 2 m n, τ n τ n Tag(tk A, m n) Link(m 1, τ 1, m n, τ n) = 1 LMT Scheme KGen(1 λ ): Generate a tagging key tk. Tag(tk, m): Output a tag τ for a message m. required to be an equivalence relation Link(m 1, τ 1, m 2, τ 2 ): Output 0 or 1. (short for 1: (m 1, τ 1 ) (m 2, τ 2 )) Intuition: 1 iff (m, τ)-pairs created with same key. June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 7

Linkable Message Tagging Security tk A τ 1 Tag(tk A, m 1 ) τ 2 Tag(tk A, m 2 ) τ n Tag(tk A, m n) m 1, τ 1 m 2, τ 2 m n, τ n same-origin relation via Link (m, τ )! (m i, τ i ) (Existential) Unforgeability Adversary seeing tags τ i for messages m i of its choice is not able to forge a new tag τ for an unseen message m such that (m, τ ) (m i, τ i ) for any (m i, τ i ). strong unforgeability: τ can be for a previously seen message m i June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 8

Linkable Message Tagging Envisioned Application Envisioned application: automated email authentication easy-to-use and fully-automated cryptographic authentication of email automatically set up tagging keys (on first use) automatically tag all outgoing emails automatically visually group incoming emails (according to relation ) advantages: everything fully automatic (no user interaction required) no exchange of verification keys needed unforgeability guarantees: adversarial emails are grouped separately June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 9

Linkable Message Tagging A Construction BLS-LMT scheme based on BLS signatures (Boneh, Lynn, Shacham 2001) Ingredients: (symmetric) bilinear group G = g (prime order q) with map e : G G G T hash function H : {0, 1} G \ {1} KGen(1 λ ): x $ Z q, output tk = x. Tag(tk, m): Output a τ = H(m) tk = H(m) x. Link(m 1, τ 1, m 2, τ 2 ): Output 1 if e(h(m 1 ), τ 2 ) = e(h(m 2 ), τ 1 ). Correctness: (in particular Link establishes equivalence relation) (m 1, τ 1 ) (m 2, τ 2 ) e(h(m 1 ), H(m 2 )) tk2 = e(h(m 2 ), H(m 1 )) tk1 tk 1 = tk 2 Security: BLS-LMT is strongly unforgeable if CDH is hard in G, in the ROM (proof via strong unforgeability of BLS signatures) June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 10

Linkable Message Tagging Generic Relation with Signatures recall: LMT is not a public key primitive! natural and efficient transformations between LMT and signature schemes + perhaps surprising, interesting theoretical relation little hope for practical construction from symmetric primitives only Signature LMT basic idea: use signing key as tk and include verification key in tag: τ = (σ, vk) several design choices for admissible equivalence relations defined by Link inherits signature scheme s (existential/strong) unforgeability LMT Signature basic idea: use tk as sk and distinct tag as verification key: vk = Tag(tk, "0") signature verification through Link-ing with verification key again preserves (existential/strong) unforgeability June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 11

Automated Email Authentication Revisited tk A τ 1 Tag(tk A, m 1 ) τ 2 Tag(tk A, m 2 ) m 1, τ 1 m 2, τ 2 m n, τ n τ n Tag(tk A, m n) Link(m 1, τ 1, m n, τ n) = 1 in envisioned automated email authentication: Link must be checked with (m, τ) from each origin/ -group would be nice if origin was efficiently identifiable June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 12

Classifiable Message Tagging Syntax tk A τ 1 Tag(tk A, m 1 ) τ 2 Tag(tk A, m 2 ) m 1, τ 1 m 2, τ 2 τ n Tag(tk A, m n) m n, τ n Classify(m n, τ n) = cid CMT Scheme KGen(1 λ ): Generate a tagging key tk. Tag(tk, m): Output a tag τ for a message m. Classify(m, τ): Output a class identifier cid. Intuition: each tk corresponds with one specific cid tk. (existential/strong) unforgeability defined as expected June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 12

Classifiable Message Tagging Generic Relations CMT schemes are special LMT schemes by defining: Link(m 1, τ 1, m 2, τ 2 ) = 1 Classify(m 1, τ 1 ) = Classify(m 2, τ 2 ) but not all LMT schemes have CMT analogues e.g., BLS-LMT: cid tk could be tk or g tk, contradicting DLP/CDH Signature CMT again: use signing key as tk and include verification key in tag: τ = (σ, vk) use class identifier cid = vk CMT Signature use class identifier as verification key vk = cid tk June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 13

Classifiable Message Tagging A Highly Efficient Construction Schnorr-CMT scheme based on Schnorr signatures (Schnorr 1990) Key insight: Schnorr vk can be reconstructed from any valid signature KGen(1 λ ): tk = Schnorr signing key Tag(tk, m): τ = Schnorr signature Classify(m, τ): Output cid = Schnorr verification key, reconstructed from τ Security: Schnorr-CMT is strongly unforgeable if DLP is hard, in the ROM (proof via strong unforgeability of Schnorr signatures) Efficiency: 50,000 classifications/sec on a current high-end CPU using elliptic-curve-based Ed25519 (Bernstein et al. 2011) June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 14

Summary History-based message authentication: side-stepping the key distribution problem. We introduce linkable message tagging, authenticating messages without pre-shared verification keys or PKI τ1 Tag(tkA, m1) τ2 Tag(tkA, m2) tka m1, τ1 m2, τ2 mn, τn τn Tag(tkA, mn) Link(m1, τ1, mn, τn) = 1 identify the practical subclass of classifiable message tagging explore the generic relation between LMT/CMT and signature schemes provide efficient constructions In the full version (eprint 2014/014) CMT scheme without random oracles from Waters signatures on DSA- and ECDSA-based CMT schemes on CMT schemes from Fiat-Shamir transformed signatures do S/MIME and OpenPGP lead to efficient CMT schemes? Thank You! June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback